Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Warning improvements #51

Merged
merged 4 commits into from
Apr 13, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions Changelog.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
# Changes to rhel9CIS

## 1.0.7

lint and yamll updates
improvemnst to 6.1.10, 6.1.11, 6.1.13, 6.1.14

## 1.0.6

updated ymlalint as galaxy doenst honouyr local settings
Expand Down
77 changes: 46 additions & 31 deletions tasks/section_6/cis_6.1.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -160,22 +160,24 @@
label: "{{ item.mount }}"
when: item['device'].startswith('/dev') and not 'bind' in item['options']

- name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | set fact"
ansible.builtin.set_fact:
rhel_09_6_1_10_unowned_files_found: true
loop: "{{ rhel_09_6_1_10_audit.results }}"
when: item.stdout | length > 0

- name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories"
ansible.builtin.debug:
msg: "Warning !! Manual intervention is required -- missing owner on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}"
loop: "{{ rhel_09_6_1_10_audit.results }}"
when:
- item.stdout_lines is defined
- item.stdout_lines | length > 0
msg: "Warning!! Missing owner on items in {{ rhel_09_6_1_10_audit | json_query('results[*].stdout_lines[*]') | flatten }}"
when: rhel_09_6_1_10_unowned_files_found

- name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | warning"
ansible.builtin.import_tasks: warning_facts.yml
vars:
warn_control_id: '6.1.10'
when:
- item.stdout_lines is defined
- item.stdout_lines | length > 0

when: rhel_09_6_1_10_unowned_files_found
vars:
rhel_09_6_1_10_unowned_files_found: false
when:
- rhel9cis_rule_6_1_10
tags:
Expand All @@ -199,21 +201,24 @@
label: "{{ item.mount }}"
when: item['device'].startswith('/dev') and not 'bind' in item['options']

- name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | set fact"
ansible.builtin.set_fact:
rhel_09_6_1_11_ungrouped_files_found: true
loop: "{{ rhel_09_6_1_11_audit.results }}"
when: item.stdout | length > 0

- name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories"
ansible.builtin.debug:
msg: "Warning !! Manual intervention is required -- missing group on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}"
loop: "{{ rhel_09_6_1_11_audit.results }}"
when:
- item.stdout_lines is defined
- item.stdout_lines | length > 0
msg: "Warning!! Missing group on items in {{ rhel_09_6_1_11_audit | json_query('results[*].stdout_lines[*]') | flatten }}"
when: rhel_09_6_1_11_ungrouped_files_found

- name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | warning"
ansible.builtin.import_tasks: warning_facts.yml
vars:
warn_control_id: '6.1.11'
when:
- item.stdout_lines is defined
- item.stdout_lines | length > 0
when: rhel_09_6_1_11_ungrouped_files_found
vars:
- rhel_09_6_1_11_ungrouped_files_found: false
when:
- rhel9cis_rule_6_1_11
tags:
Expand Down Expand Up @@ -244,24 +249,29 @@
ansible.builtin.shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000
failed_when: false
changed_when: false
register: rhel_09_6_1_13_perms_results
register: rhel_09_6_1_13_suid_perms
loop: "{{ ansible_mounts }}"
loop_control:
label: "{{ item.mount }}"

- name: "6.1.13 | AUDIT | Audit SUID executables | set fact SUID executables"
ansible.builtin.set_fact:
rhel9_6_1_13_suid_found: true
loop: "{{ rhel_09_6_1_13_suid_perms.results }}"
when: item.stdout | length > 0

- name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist"
ansible.builtin.debug:
msg: "Warning!! Manual intervention is required -- SUID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}"
loop: "{{ rhel_09_6_1_13_perms_results.stdout_lines }}"
when:
- rhel_09_6_1_13_perms_results.stdout is defined
msg: "Warning!! SUID set on items in {{ rhel_09_6_1_13_suid_perms | json_query('results[*].stdout_lines[*]') | flatten }}"
when: rhel9_6_1_13_suid_found

- name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist | warning"
ansible.builtin.import_tasks: warning_facts.yml
vars:
warn_control_id: '6.1.13'
when:
- rhel_09_6_1_13_perms_results.stdout is defined
when: rhel9_6_1_13_suid_found
vars:
rhel9_6_1_13_suid_found: false
when:
- rhel9cis_rule_6_1_13
tags:
Expand All @@ -278,24 +288,29 @@
ansible.builtin.shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000
failed_when: false
changed_when: false
register: rhel_09_6_1_14_perms_results
register: rhel_09_6_1_14_sgid_perms
loop: "{{ ansible_mounts }}"
loop_control:
label: "{{ item.mount }}"

- name: "6.1.14 | AUDIT | Audit SGID executables | Set fact SGID executables"
ansible.builtin.set_fact:
rhel9_6_1_14_sgid_found: true
loop: "{{ rhel_09_6_1_14_sgid_perms.results }}"
when: item.stdout | length > 0

- name: "6.1.14 | AUDIT | Audit SGID executables | Alert SGID executables exist"
ansible.builtin.debug:
msg: "Manual intervention is required -- SGID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}"
loop: "{{ rhel_09_6_1_14_perms_results.stdout_lines }}"
when:
- rhel_09_6_1_14_perms_results.stdout is defined
msg: "Warning!! SGID set on items in {{ rhel_09_6_1_14_sgid_perms | json_query('results[*].stdout_lines[*]') | flatten }}"
when: rhel9_6_1_14_sgid_found

- name: "6.1.14 | AUDIT | Audit SGID executables| warning"
ansible.builtin.import_tasks: warning_facts.yml
vars:
warn_control_id: '6.1.14'
when:
- rhel_09_6_1_14_perms_results.stdout is defined
when: rhel9_6_1_14_sgid_found
vars:
rhel9_6_1_14_sgid_found: false
when:
- rhel9cis_rule_6_1_14
tags:
Expand Down